Skip to main content

share.google returns HTTP 200 for HEAD but 301 for GET on the same URL, violating RFC 9110 Section 9.3.2

  • April 27, 2026
  • 3 replies
  • 54 views
dragoangel
Forum|alt.badge.img+1

Hi, want to report annoying behavior of share.google in hope somebody from Google devs team can hook up and fix this security gap.

Right now links to https://share[.]google/EnyBDZiv3ksnQT9xZ would lead to https://www.google.com/share[.]google?q=EnyBDZiv3ksnQT9xZ via 301 redirect by both HEAD & GET, but from that point https://www.google.com/share[.]google?q=EnyBDZiv3ksnQT9xZ - would reply with 302 redirect only on GET, and not HEAD, which is violation of RFC 9110 Section 9.3.2 and breaks automated systems from safely verifying destination link, which in case with share.google in 99% cases now used as obscurity platform to spread phishing, fraud, malware and other not good things.

    3 replies

    Rob_P
    Staff
    Forum|alt.badge.img+10
    • Rob_P
    • Staff
    • April 27, 2026

    @dragoangel 

    This forum is for the Google Threat Intelligence Product, not for general threat / security issues for Google Products.  You may have better results with reporting this issue here instead:
     

    • Where to go: bughunter.google.com

    • How to report:

      1. Click on Report an Issue.

      2. Log in with a Google account.

      3. Select Google as the target.

      4. Provide a clear title (e.g., "Inconsistent 301/302 Redirects on share.google Evading Automated Scanners").

      5. In the description, paste the user's exact explanation. It is highly recommended to include the raw HTTP request and response headers for both the HEAD and GET requests to demonstrate the discrepancy clearly.

      6. Emphasize the security impact (that it is currently being abused to mask phishing and malware).

      dragoangel
      Forum|alt.badge.img+1
      • dragoangel
      • Author
      • New Member
      • April 27, 2026

      Hi ​@Rob_P , thank you for a quick reply, I already visited bughunter.google.com - but it provides options which was not fit this use case, and due to this I decided post it here. Thanks for advice, I will follow it and hope it will work :)

      dragoangel
      Forum|alt.badge.img+1
      • dragoangel
      • Author
      • New Member
      • April 27, 2026

      @Rob_P well, as expected got:

      Hey! We've reviewed your report on the inconsistent redirect behavior (HEAD vs. GET) on share.google that you identified as an RFC 9110 violation. You pointed out that this behavior can allow malicious links to evade automated security scanners and leverage Google's domain reputation for phishing and malware distribution.

      While we appreciate the detailed technical analysis, we've decided not to track this as a security bug under our Vulnerability Reward Program. The core issue you're describing primarily facilitates social engineering and phishing attacks. Our VRP focuses on technical vulnerabilities that directly endanger user data confidentiality or integrity, such as XSS or authorization flaws. We've found that addressing issues that solely facilitate social engineering doesn't significantly reduce our users' overall vulnerability to such attacks.

      For more details on why these types of issues typically fall outside our VRP scope, check out this article: https://bughunters.google.com/learn/invalid-reports/invalid-attack-scenarios/attacks-facilitating-phishing-or-social-engineering.

      If you believe we've misunderstood the technical security impact of your finding beyond facilitating phishing, please let us know!

      Thanks for your report and time, The Google Bug Hunter Team

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.